When I add clients to the deployment server - server class tab
for example
Server Class > windows_wkstns > edit > edit clients
include(whitelist)
I get the following options:
Can be client name, host name, IP address, or DNS name
Is it advisable to add only one name or host name, DNS name, and client name?
Will adding all 3 vs just 1 result in more comprehensive / complete log collection?
Also how do you delete a client from the include list when you only have 1 client listed? I am testing different endpoints one at a time right now.
Thank you
As per the serverclass.conf documentation the attribute applies to:
* The value of this attribute is matched against several things in order:
* Any clientName specified by the client in its deploymentclient.conf file
* The IP address of the connected client
* The hostname of the connected client, as provided by reverse DNS lookup
* The hostname of the client, as provided by the client
* For Splunk version > 6.4, the instanceId of the client. This is a GUID
string, e.g. 'ffe9fe01-a4fb-425e-9f63-56cc274d7f8b'.
Therefore you want to match one, often DNS is the most logical match, in other cases (for example docker instances that are specifying a clientName specifically) then the clientName might be the most appropriate match.
You don't need to attempt to match both DNS & IP address for example.
Also how do you delete a client from
the include list when you only have 1
client listed? I am testing different
endpoints one at a time right now.
I would comment out that particular stanza if you have a whitelist of zero clients to prevent confusion, otherwise I believe it will attempt to use the whitelist under [global].
Try :
splunk btool serverclass list --debug
And see what the global settings are, or test this and comment here :).
You might also want to run splunk btool check when no whitelist is specified to confirm it will work as expected.
As per the serverclass.conf documentation the attribute applies to:
* The value of this attribute is matched against several things in order:
* Any clientName specified by the client in its deploymentclient.conf file
* The IP address of the connected client
* The hostname of the connected client, as provided by reverse DNS lookup
* The hostname of the client, as provided by the client
* For Splunk version > 6.4, the instanceId of the client. This is a GUID
string, e.g. 'ffe9fe01-a4fb-425e-9f63-56cc274d7f8b'.
Therefore you want to match one, often DNS is the most logical match, in other cases (for example docker instances that are specifying a clientName specifically) then the clientName might be the most appropriate match.
You don't need to attempt to match both DNS & IP address for example.
Also how do you delete a client from
the include list when you only have 1
client listed? I am testing different
endpoints one at a time right now.
I would comment out that particular stanza if you have a whitelist of zero clients to prevent confusion, otherwise I believe it will attempt to use the whitelist under [global].
Try :
splunk btool serverclass list --debug
And see what the global settings are, or test this and comment here :).
You might also want to run splunk btool check when no whitelist is specified to confirm it will work as expected.
So just to be certain, its best to use only one name but pick the name that best suits the desired events?
Regarding my second question, I was using the GUI only and when I removed the only client and tried to save it warned that a whitelist entry was needed. But I will use your method as stated.
Yes, in my environment DNS names/server names are unique for non-docker instances so that's what we use 90% of the time.
For docker we have the client name set in the deploymentclient.conf file to make it easier to determine what the purpose of the docker container is.
instanceId I've rarely used but it might make sense in some circumstances....